CVE-2026-54759

Sažetak

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, Lute's HTML sanitizer does not remove <iframe> elements. Combined with the SiYuan Electron client's permissive security configuration, an attacker can include a malicious <iframe> in a Bazaar package README that executes arbitrary commands on the victim's machine when the package details are viewed. No package installation is required. This vulnerability is fixed in 3.7.0.

Reference

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-r6v5-4c66-f6pw
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-r6v5-4c66-f6pw

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

25-06-2026 - 14:22

Objavljeno

24-06-2026 - 22:16